1. Home
  2. Software
  3. PlugX

PlugX

PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. [1] [2] [3] [4]

ID: S0013
Associated Software: DestroyRAT, Sogu, Kaba, Korplug
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 20 June 2020

Associated Software Descriptions

Name Description
DestroyRAT

[5]
Sogu

[1] [2][5]
Kaba

[2]
Korplug

[1][5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PlugX can be configured to use HTTP for command and control.[4]
.004 Application Layer Protocol: DNS

PlugX can be configured to use DNS for command and control.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PlugX adds Run key entries in the Registry to establish persistence.[1][6][5]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PlugX allows actors to spawn a reverse shell on a victim.[4][5]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.[5][1][6][7][8]
Enterprise T1140 Deobfuscate/Decode Files or Information

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[5]
Enterprise T1083 File and Directory Discovery

PlugX has a module to enumerate drives and find files recursively.[5]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

PlugX has used DLL side-loading to evade anti-virus.[2][4][9][6][10]
Enterprise T1105 Ingress Tool Transfer

PlugX has a module to download and execute files on the compromised machine.[5]
Enterprise T1056 .001 Input Capture: Keylogging

PlugX has a module for capturing keystrokes per process including window titles.[5]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[7]
Enterprise T1112 Modify Registry

PlugX has a module to create, delete, or modify Registry keys.[5]
Enterprise T1106 Native API

PlugX can use the Windows API function CreateProcess to execute another process.[1]
Enterprise T1135 Network Share Discovery

PlugX has a module to enumerate network shares.[5]
Enterprise T1095 Non-Application Layer Protocol

PlugX can be configured to use raw TCP or UDP for command and control.[4]
Enterprise T1057 Process Discovery

PlugX has a module to list the processes running on a machine.[5]
Enterprise T1012 Query Registry

PlugX can enumerate and query for information contained within the Windows Registry.[1][5]
Enterprise T1113 Screen Capture

PlugX allows the operator to capture screenshots.[5]
Enterprise T1049 System Network Connections Discovery

PlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.[5]
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.[10]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd". [11]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

PlugX uses Pastebin to store C2 addresses.[10]

Groups That Use This Software

ID Name References
G0022 APT3

[2]
G0027 Threat Group-3390

[4][12][13]
G0017 DragonOK

[3]
G0045 menuPass

[6][7][14]
G0062 TA459

[15]
G0093 GALLIUM

[16]
G0096 APT41

[17]
G0126 Higaisa

[18]
G0129 Mustang Panda

[19][20][21][22][23]

References

  1. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  2. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  3. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
  4. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  5. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  6. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  7. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  8. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  9. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
  10. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  11. Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
  12. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  1. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  2. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  3. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  4. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  5. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  6. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  7. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  8. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  9. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  10. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  11. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.